How Do Businesses Get Hacked?

While organizations may have some of the best security in the world protecting their information, there are people who are in charge of creating and handling that information.. Because people’s brains are impossible to secure via software, social engineering plays a key role in allowing cybercriminals to bypass computers and security software to commit acts of cyber espionage. Attacks on governments, healthcare institutions or any other organization, require a special blend of both social engineering tactics and technical attacks. The most common form of attack used to infiltrate a government’s network that takes advantage of both of these methods is what is known as a spear phishing campaign.

What is Spear Phishing?

Spear phishing attacks are a close cousin to regular phishing emails; however, a lot more thought and effort goes into these attacks. In the case of regular phishing, a cybercriminal will craft a generic, bogus email and send it to a large group of random people. With spear phishing, it is a complex campaign where the attackers have chosen a specific institution to target, and know what types of information they’re looking to steal.

The first step in a spear phishing campaign is reconnaissance. Once the attacker has chosen their target organization, they will do some research on how to find the email addresses and names of employees working within the organization. Sometimes that can be found in the contact information on the institution’s website.

Once they have the name of the person they want to target, they will then do some research online about the person, gleaning information from social networking profiles, blogs or any other information that may come up in search results. Then, they will tailor a legitimate looking email to that specific person, addressing them by name, and the body of the email will be relative to what information is found online about the subject. The purpose of this is to dupe the victim into thinking that this is a person they actually know.

In corporate or government instances, the email may be crafted to look like it is coming from a trusted source within the organization, usually someone in a position of authority. This is where the social engineering aspect of the attack comes into play, preying on a person’s natural inclination to comply with an authoritative individual. After the attacker has the attention of the victim, and they open the email there will be some sort of call to action- either clicking on a malicious link, or downloading malicious software. Once the victim completes that task, the malware will then allow the attackers access to the network, where they can then carry out their mission of cyber espionage.

How to Combat Spear Phishing and Other Criminal Tactics in the Workplace

Unfortunately, Internet security software cannot detect things like social engineering, because that is a human-to-human interaction. This is where educating yourself about best practices when using the Internet is crucial in the defense of a company.

Protect Passwords.
Use strong, unique passwords for each account you access. If a cybercriminal gets a hold of an email address or username to an account, they can use special tools to try and “crack” the password, the simpler the password, the easier it is to crack.
You can learn more about building strong passwords here.
Also, try to use two-factor authentication when available.

Don’t Take The (Phishing) Bait.
Learn about the red flags of phishing attacks. Learn about the most common factors to be on the lookout for, and how to identify spoofed emails.
You can take a deeper dive on phishing scams here.

Secure Software.
It is important to know the importance of performing regular software updates on all of the programs you use. Not performing these updates can leave holes that attackers can sneak malware through.
You can read here why software updates and patches are vital to Internet security.

Safeguard Social Media Accounts.
Since attackers will do research on their targets, make sure social media accounts privacy settings are locked down. Don’t allow any personally identifiable information to be viewable to the public, and be skeptical of people who contact you that you don’t know but seem to know you.

Here are some more weekly topics for National Cyber Security Awareness Month that you may have missed:

Who's online

About the Author

I began my career in the computer hardware industry as an Apple Genius, which allowed me to gain a vast knowledge of consumer technology and issues. At Norton, I am able to integrate my passion for technology and my passion for helping educate consumers about the evolving Internet threat landscape.